The Reserve Bank of India's Guidance Notes on Operational Risk Management (ORM) and Operational Resilience (OR) provide a comprehensive framework for financial institutions to manage and mitigate risks.
Principle 1 emphasizes the need for a strong ORM framework integrating risk management into the institution's culture and governance. Principle 2 highlights the importance of governance and oversight, ensuring that the board and senior management are actively involved in ORM processes. Principle 3 focuses on comprehensive risk identification, urging institutions to identify and assess all potential operational risks. Principle 4 addresses risk assessment and measurement, encouraging institutions to quantify risks and understand their potential impact. Principle 5 emphasizes the importance of effective risk monitoring and reporting to ensure that risks are continuously tracked and communicated across the organization.
Principle 6 focuses on risk mitigation and control, outlining strategies to reduce the likelihood and impact of operational risks. Principle 7 emphasizes the importance of change management in maintaining operational stability during transitions or disruptions. Principle 8 addresses the need to regularly monitor and report operational risks, ensuring institutions stay vigilant and responsive. Principle 9 highlights the significance of comprehensive mapping for critical operations, helping institutions identify and manage dependencies. Principle 10 stresses the need to manage third-party dependencies, particularly those that could impact the institution's ability to operate during a crisis.
Principle 11 emphasizes managing third-party dependencies, especially in operational disruptions. Principle 12 focuses on business continuity planning and testing, ensuring institutions are prepared for potential crises. Principle 13 addresses incident management, outlining best practices for responding to operational disruptions. Principle 14 highlights the role of Information and Communication Technology (ICT) and cybersecurity in safeguarding operations. Principle 15 emphasizes transparent disclosure and reporting of risks and incidents to stakeholders. Principle 16 encourages institutions to evaluate past incidents and integrate lessons learned into future plans. Finally, Principle 17 stresses the importance of continuous improvement through feedback systems, ensuring that ORM and OR strategies evolve in response to changing risks and operational environments.
This OR intermediate and expert training is designed for global OR implementation. If you want to learn more about implementing business continuity management, there is a BCM intermediate—and expert-level implementer course to attend.
The second row of each principle is extracted from the original RBI document https://website.rbi.org.in/web/rbi/-/notifications/guidance-note-on-operational-risk-management-and-operational-resilience
| eBook1 |
Principles 1 to 5 focus on establishing a robust ORM environment. |
| Principle 1 | Integrate RM into Culture and Governance |
|
Principle 1 emphasizes the need for a robust ORM framework integrating risk management into the institution's culture and governance. |
|
|
The Board of Directors should take the lead in establishing a strong risk management culture, which should be implemented by Senior Management. The Board of Directors and Senior Management should establish a corporate culture guided by strong risk management, set standards and incentives for professional and responsible behaviour, and ensure that staff receive appropriate risk management and ethics training. |
|
| Principle 2 | Integrate ORMF & BoD Oversight |
|
Principle 2 highlights the importance of governance and oversight, ensuring that the board and senior management are actively involved in ORM processes. |
|
|
REs should develop, implement and maintain an ORMF that is fully integrated into the RE’s overall risk management processes. The ORMF adopted by an individual RE will depend on a range of factors, including its nature, size, complexity and risk profile. Further, REs should utilize their existing governance structure to establish, oversee and implement an effective operational resilience approach that enables them to respond and adapt to, as well as recover and learn from, disruptive events in order to minimise their impact on delivering critical operations through disruption. |
|
| Principle 3 | Ensure BoD Oversight of OMRF |
|
Principle 3 emphasises the importance of a comprehensive and systematic approach to identifying risks. Principle 3 focuses on comprehensive risk identification, urging institutions to identify and assess all potential operational risks. |
|
| The Board of Directors should approve and periodically review the ORMF and Operational Resilience approach, and ensure that Senior Management implements the policies, processes and systems of the ORMF and Operational Resilience approach effectively at all decision levels. | |
| Principle 4 | Review Risk Appetite & OR Tolerance |
|
Principle 4 addresses risk assessment and measurement, encouraging institutions to quantify risks and understand their potential impact. |
|
| The Board of Directors should approve and periodically review a risk appetite and tolerance statement for Operational Risk that articulates the nature, types and levels of Operational Risk the RE is willing to assume. The Board of Directors should also review and approve the criteria for identification and classification as critical operations as well as of impact tolerances for each critical operation, to enhance RE’s Operational Resilience. | |
| Principle 5 | Establish Risk Monitoring & Reporting |
|
Principle 5 emphasizes the importance of effective risk monitoring and reporting to ensure that risks are continuously tracked and communicated across the organization. |
|
| Senior Management should develop for approval by the Board of Directors a clear, effective and robust governance structure with well-defined, transparent and consistent lines of responsibility. Senior Management is responsible for consistently implementing and maintaining throughout the organisation policies, processes and systems for managing Operational Risk in all of the RE’s material products, activities, processes and systems consistent with its risk appetite and tolerance statement. | |
| eBook2 |
Principles 6 to 10 build on this foundation by addressing specific areas of ORM and OR. |
| Principle 6 | Implement OR Identification & Assessment |
|
Principle 6 focuses on risk mitigation and control, outlining strategies to reduce the likelihood and impact of operational risks. |
|
| Senior Management should ensure the comprehensive identification and assessment of the Operational Risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood. Both internal and external threats and potential failures in people, processes and systems should be assessed promptly and on an ongoing basis. Assessment of vulnerabilities in critical operations should be done in a proactive and prompt manner. All the resulting risks should be managed in accordance with operational resilience approach. | |
| Principle 7 | Ensure Change Management Adequacy |
|
Principle 7 emphasizes the importance of change management in maintaining operational stability during transitions or disruptions. |
|
| Principle 7: Senior Management should ensure that the RE’s change management process is comprehensive, appropriately resourced and adequately articulated between the relevant lines of defence. | |
| Principle 8 | Monitor & Report Operational Risk |
| Principle 8 addresses the need for regular monitoring and reporting of operational risks, ensuring institutions stay vigilant and responsive. | |
| Principle 8: Senior Management should implement a process to regularly monitor Operational Risk profiles and material operational exposures. Appropriate reporting mechanisms should be in place at the Board of Directors, Senior Management, and business unit levels to support proactive management of Operational Risk. | |
| Principle 9 | Setup Internal Control Environment |
|
Principle 9 emphasizes the importance of having well-designed and consistently applied internal controls to manage and mitigate operational risks. Principle 9 highlights the significance of comprehensive mapping for critical operations, helping institutions identify and manage dependencies. |
|
| Principle 9: REs should have a strong control environment that utilises policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies. | |
| Principle 10 | Map Interconnections & Interdependencies |
|
Principle 10: Comprehensive Mapping for Critical Operations emphasizes the importance of comprehensive mapping for critical operations within financial institutions. |
|
| eBook3 |
The final principles, 11 to 17, focus on resilience and continuous improvement. |
| Principle 11 | Manage Third-Party Dependencies |
|
Principle 11 underscores the importance of identifying, assessing, and monitoring risks tied to external vendors and partners, ensuring that these relationships do not compromise the institution's operational resilience. |
|
| Principle 11: REs should manage their dependencies on relationships, including those of, but not limited to, third parties (which include intragroup entities), for the delivery of critical operations. | |
| Principle 12 |
Integrate BC to ORMF |
|
Principle 12 focuses on business continuity planning and testing, ensuring institutions are prepared for potential crises. |
|
| Principle 12: REs should have business continuity plans in place to ensure their ability to operate on an ongoing basis and limit losses in the event of a severe business disruption. These plans should be linked to the RE’s ORMF. REs should also conduct business continuity exercises under a range of severe but plausible scenarios to test their ability to deliver critical operations through disruption. | |
| Principle 13 |
Develop Incident Response and BC Plans |
|
Principle 13 addresses incident management, outlining best practices for responding to operational disruptions. |
|
| Principle 13: REs should develop and implement response and recovery plans to manage incidents that could disrupt the delivery of critical operations in line with the RE’s risk appetite and tolerance for disruption. REs should continuously improve their incident response and recovery plans by incorporating the lessons learned from previous incidents. | |
| Principle 14 | Implement ICT & Cybersecurity Response |
|
Principle 14 highlights the role of Information and Communication Technology (ICT) and cybersecurity in safeguarding operations. |
|
| Principle 14: REs should implement a robust Information and Communication Technology (ICT) risk management programme in alignment with their ORMF and ensure a resilient ICT including cyber security that is subject to protection, detection, response, and recovery programmes that are regularly tested, incorporate appropriate situational awareness and convey relevant timely information for risk management and decision-making processes to fully support and facilitate the delivery of the RE’s critical operations. | |
| Principle 15 | Disclose ORM & OR Exposures |
|
Principle 15 emphasizes transparent disclosure and reporting of risks and incidents to stakeholders. |
|
| Principle 15: An RE’s public disclosures should allow stakeholders to assess its approach to Operational Risk management and its Operational Risk exposure. | |
| Principle 16 | Conduct Post-Disruption Lesson Learnt |
|
Principle 16 encourages institutions to evaluate past incidents and integrate lessons learned into future plans. |
|
| Principle 16: A lessons learned exercise should be conducted after a disruption to a critical or important business service to enhance an RE’s capabilities to adapt and respond to future operational events. | |
| Principle 17 | Promote Continuous Improvement Culture |
|
Principle 17 stresses the importance of continuous improvement through feedback systems, ensuring that ORM and OR strategies evolve in response to changing risks and operational environments. |
|
| Principle 17: An RE should promote an effective culture of learning and continuous improvement as operational resilience evolves through effective feedback systems. | |
| The Annex | |
| The Annex provides additional resources and guidelines to support the effective implementation of these principles. |
The Reserve Bank of India's Guidance Notes on Operational Risk Management (ORM) and Operational Resilience (OR) provide a comprehensive framework to strengthen the resilience of financial institutions.
The guidelines emphasise a proactive and integrated approach, covering principles from establishing robust governance, identifying and mitigating risks, and managing change to ensuring business continuity through effective planning, incident management, and cybersecurity.
The focus on continuous monitoring, transparent communication, and learning from past incidents underscores the need for ongoing improvement. Together, these principles equip financial institutions in India to navigate an evolving risk landscape, ensuring stability and resilience in the face of challenges.
|
Reserve Bank of India's Guidance Note on ORM and OR Book Series [1] |
|||||
| Building Strong ORM Foundations: Operational Risk Management in Indian Financial Institutions | |||||
| Reserve Bank of India's Guidance Note on ORM and OR Book Series [2] | ||||
| Strengthening Resilience: Mapping and Managing Dependencies in Financial Operations | ||||
| Reserve Bank of India's Guidance Note on ORM and OR Book Series [3] | ||||
| Ensuring Business Continuity: BC Planning and Testing for Financial Institutions | ||||
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
|
||
|
|